Hi everyone! I’ve been using Caddy for a couple years, hoping to get some guidance on proper config for ZeroSSL (or anything else that looks wrong).
1. The problem I’m having:
Before now, we’ve been using Caddy with Let’s Encrypt. We have a large number (thousands) of subdomains and other custom domains, so we often hit Let’s Encrypt rate limits. Falling back to ZeroSSL never seemed to help. I’m now trying again to switch to ZeroSSL exclusively to work around these limits.
After updating the Caddyfile to only use ZeroSSL, we still get errors in the log when renewing domains. I’ve also updated Caddy to the latest version.
I have a paid ($50/month) ZeroSSL account. No certificates from Caddy have ever shown up in the dashboard. This leads me to think the API key is not wired up correctly. I have tried many different variations of the issuer
config, including email, etc.
Thanks!
2. Error messages and/or full log output:
Recent errors look like this (I’ve replaced the domain with just “domain” here):
2023/12/30 18:36:41.300 ERROR tls.renew could not get certificate from issuer {"identifier": "domain", "issuer": "acme.zerossl.com-v2-DV90", "error": "[domain] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/gvsJBCc4dVPkjCy1897U4Q has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/cLkJ-yQWBhftsARl1KGNmw) (ca=https://acme.zerossl.com/v2/DV90)"}
2023/12/30 18:36:41.300 ERROR tls.renew will retry {"error": "[domain] Renew: [domain] solving challenges: authz https://acme.zerossl.com/v2/DV90/authz/gvsJBCc4dVPkjCy1897U4Q has unexpected status; order will fail: invalid (order=https://acme.zerossl.com/v2/DV90/order/cLkJ-yQWBhftsARl1KGNmw) (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 3, "retrying_in": 120, "elapsed": 191.884578831, "max_duration": 2592000}
Before upgrading Caddy, I was also getting HTTP 429 rate limit errors.
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
4. How I installed and ran Caddy:
a. System environment:
Debian 4.19.0-17-amd64
b. Command:
sudo xcaddy build --with github.com/gamalan/caddy-tlsredis
sudo ./caddy start
c. Service/unit/compose file:
d. My complete Caddy config:
I’ve replaced API keys and Redis info. The Redis module is used to track cert info across multiple web servers.
{
on_demand_tls {
ask https://micro.blog/pages/ssl/check # will pass ?domain=, return 200 OK
interval 2m
burst 100 # 100 every 2 minutes
}
storage redis {
host ""
port 1234
password "ABCDEFGHIJKL"
db 1
}
log {
output file /var/log/caddy-main.log {
roll_keep_for 5d
}
format console
}
}
:443 {
tls {
on_demand
issuer zerossl ABCDEFGHIJKL
}
root * /home/web/sites/{host}
file_server
header Access-Control-Allow-Origin "*"
log {
output file /var/log/caddy-access.log {
roll_keep_for 5d
}
format console
}
handle_errors {
@502 {
expression {http.error.status_code} == 502
}
handle @502 {
rewrite * 502.html
file_server
}
handle {
rewrite * /pages/migration/redirect{uri}
reverse_proxy micro.blog {
header_up Host micro.blog
header_up X-Migration-Host {host}
}
}
}
}